I am using Oracle VirtualBox on Windows. I've setup NAT and forwarded ports.
When some forwarded ports are accidentally conflicting with host machine's ones, no errors are shown and all forwarded ports are failing.
Is there any possibility to detect those conflicting ports? I have used VBoxManage tool and there are neither output messages, nor verbose mode for startvm command.
Thanks
I would recommend using a combination of netstat and VBoxManage and parse the output. You can easily replace the findstr command with grep on non-Windows hosts.
First, I would get a listing of NAT ports on the VM in question. The VBoxManage showvminfo command will output a bunch of info about the configuration which you can filter to look for just the NAT rules. You will want to look for the host port and protocol fields in the output (and possibly host ip if configured) as that is what you will be looking to see if it is already in use.
C:\>vboxmanage showvminfo Linux | findstr Rule
NIC 1 Rule(0): protocol=tcp, host ip=, host port=2222, guest ip=, guest port=22
Second, using the info from above I know I need to check if anything is listening on port TCP port 2222, so I can use the netstat command to show me all the listening sockets, filtered by my criteria:
C:\>netstat -an | findstr LISTENING | findstr TCP | findstr 2222
Proto Local Address Foreign Address State
TCP 0.0.0.0:2222 0.0.0.0:0 LISTENING
Because my guest is already running I can see that it has already grabbed a connection on TCP 2222. If you don't get any output then nothing is listening on that specific port and you are safe to start your VM.
Related
I know that ports 9779 and 9669 need to be opened to NebulaGraph Database. How to test that these ports are open and available?
Port:9779 has been opened for NebulaGraph Database. Is there a configuration sample for reference?
Interesting question, you could do this in many ways, I'll drop some of them:
Assuming you are on a linux machine, you could check all occupied ports with ss or netstats(depending on whether is modern or old) like:
$ ss -plunt | grep 9669
tcp LISTEN 0 4096 0.0.0.0:9669 0.0.0.0:*
tcp LISTEN 0 4096 [::]:9669 [::]:*
And this means 9669 is already occupied in all IPv6 and IPv4 interfaces.
Or, you could try to bind that port to see if it's possible like:
$ python3 -m http.server 9779
Serving HTTP on :: port 9779 (http://[::]:9779/) ...
And if the HTTP server can be listening in this port, it means you are free to use it, it's available!
Or you may use Telnet.
For example:
telnet 10.0.0.1 9669
Search it for detailed instructions.
Background
I have a strange use-case where my VPN cannot be on any of the private subnets, but, also cannot use a TAP interface. The machine will be moving through different subnets, and requires access to the entire private address space by design. A single blocked IP would be considered a failure of design.
So, these are all off limits:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
In searching for a solution, I came across RFC 5735, which defines:
192.0.2.0/24 TEST-NET-1
198.51.100.0/24 TEST-NET-2
203.0.113.0/24 TEST-NET-3
As:
For use in documentation and example code. It is often used in conjunction with domain names
example.com or example.net in vendor and protocol documentation. As described in [RFC5737], addresses within this block do not legitimately appear on the public Internet and can be used without any coordination with IANA or an Internet registry.
Which, was a "Jackpot" moment for me and my use case.
Config
I configured an OpenVPN server as such:
local 0.0.0.0
port 443
proto tcp
dev tun
topology subnet
server 203.0.113.0 255.255.255.0 # TEST-NET-3 RFC 5735
push "route 203.0.113.0 255.255.255.0"
...[Snip]...
With Client:
client
nobind
dev tun
proto tcp
...[Snip]...
And ufw rules:
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 203.0.113.0/24 -o ens160 -j MASQUERADE
COMMIT
However, upon running I get /sbin/ip route add 203.0.113.0/24 via 203.0.113.1 RTNETLINK answers: File exists in the error logs. While the VPN completes the rest of its connection successfully.
No connection
Running the following commands:
Server: sudo python3 -m http.server 80
Client: curl -X GET / 203.0.113.1
Results in:
curl: (28) Failed to connect to 203.0.113.1 port 80: Connection timed out
I have tried:
/sbin/ip route replace 203.0.113.0/24 dev tun 0 on client and server.
/sbin/ip route change 203.0.113.0/24 dev tun 0 on client and server.
Adding route 203.0.113.0 255.255.255.0 to the server.
Adding push "route 203.0.113.0 255.255.255.0 127.0.0.1" to server
And none of it seems to work.
Does anyone have any idea how I can force the client to push this traffic over the VPN to my server, instead of to the public IP?
This does actually work!
Just dont forget to allow connections within your firewall. I fixed my config with:
sudo ufw allow in on tun0
However, 198.18.0.0/15 and 100.64.0.0/10 defined as Benchmarking and Shared address space respectively, may be more appropriate choices, since being able to forward TEST-NET addresses may be considered a bug.
I have been hired to fix hacking issue for a server, I found that ip 37.187.253.240 and some other ips can connect to specific port, while they are not allowed !.
csf firewall is installed in the server, and that port is not open for all in csf.conf.
only some ips are added in list csf.allow .
current iptables status by iptables -L is :
INPUT Chain (DROP policy), with ACCEPT only for some ips. and this ip 37.187.253.240 hasn't any rule.
to make sure that the csf isn't the cause if I stop csf by csf -x and flush the iptables rules by iptables -F , then added only a DROP rule iptables -A INPUT -p tcp -s 37.187.253.240 -j DROP for that ip , I see it can connect also via netstat
tcp 0 0 server_ip:port 37.187.253.240:16132 ESTABLISHED
Ubuntu 14.04.3 LTS
, hosted in vmware.com.
what are the probabilities of this case ?
Just to make a test, with your CSF firewall disabled and with the iptables rules flushed try this:
ip route add blackhole 37.187.253.240
This will discard all packets received from 37.187.253.240 or sent from your server to 37.187.253.240.
Then check with netstat and see if you still see any connection to or from ip address.
Since the server was hacked it might be possible that there is a process running on the server that previously established a connection to that ip address somehow and that connection remained active.
You could do a lsof -i | grep 16132 and see exactly which process is using that port. If a website from that server was hacked you could restart the httpd/apache service just to kill the connection.
I am using the latest version of boot2docker version 1.3.2, 495c19a on a windows 7 (SP1) 64 bit machine.
My docker container is running a celery process which attempts to connect to a rabbitMQ service running on the same machine that boot2docker is running on.
The Celery process running within the docker container cannot connect to RabbitMQ and reports the following :
[2014-12-02 10:28:41,141: ERROR/MainProcess] consumer: Cannot connect
to amqp:// guest:**#127.0.0.1:5672//: [Errno 111] Connection refused.
Trying again in 2.00 seconds...
I have reason to believe this is a network related issue, associated with routing from the container, to the VirtualBox host, and from the host to the RabbitMQ service running on the local machine; I do not know how to configure this and I was wondering if anyone can advise me how to proceed?
I tried setting up port 5672 in port forwarding but it didn't work (but I believe this is for incoming traffic to the VM, like boot2docker ssh).
I am running the container as docker run -i -t tagname
I am not specifying a host with -h when I run the container.
I'm sorry if this question appears rather clueless or if the answer appears obvious ... I appreciate any help!
Some additional information :
The routing table of the host VM is what boot2docker configured during installation as follows :
docker0 IP Address is 172.17.42.1
eth0 IP Address is 10.0.2.15
eth1 IP Address is 192.168.59.103
eth0 is attached to NAT (Adapter 1) in the VirtualBox VM network configuration.
Adapter 1 has port forwarding setup for ssh; default setting of host IP 127.0.0.1, host port 2022, guest port 22.
eth1 is attached to Host-only adapter (Adapter 2).
Both adapters are set to promiscuous mode (allow all).
The IP Address of the docker container is 172.17.0.33.
[2014-12-02 10:28:41,141: ERROR/MainProcess] consumer: Cannot connect to amqp:// guest:**#127.0.0.1:5672//: [Errno 111] Connection refused. Trying again in 2.00 seconds...
127.0.0.1 is a special IP address that means "me", and inside the container it means "me the container", so this is why it is not connecting to the outer host. So the first thing to do is change the IP address where you are trying to connect to Rabbit to that of the outer host where it is running.
Then you probably have to do something about routing, but let's take one step at a time.
as your RabbitMQ server is running on your Windows host, you need to tell your container that it should talk to that IP - which would probably be 192.168.59.3
most importantly, your container's 127.0.0.1 is only a loopback device to that container's services - not even the boot2docker vm's ports.
You could set up an ambassador container that has --expose=80 and uses something like socat to forward all traffic from that container to your host (see svendowideit/ambassador). Then you'd --link that ambassador container to your current image
but personally, I'd avoid that initially, and just configure your containerised app to talk to the real host's IP
You have to specifc explicitely ports for port redirection separately for boot2docker and docker.
Please try this:
c:\>boot2docker init
c:\>boot2docker up
c:\>boot2docker ssh -L 0.0.0.0:5672:localhost:5672
docker#boot2docker:~$ docker run -it -p 5672:5672 tagname
So I have a NGINX server listening on port 8080 with uwsgi on Vagrant box. The config.vm.forward_port 8080, 80 is not working for me. I know that it's recommended to forward on ports higher than 2000, but I need the 80. Is there any issue for that?
I'm using vagrant for development, but I need to make some tests from outside using my domain name on port 80.
Thanks for your help.
When trying to forward ports to less than 1025 vagrant gives me following message which you might have missed:
You are trying to forward to privileged ports (ports <= 1024). Most
operating systems restrict this to only privileged process (typically
processes running as an administrative user). This is a warning in case
the port forwarding doesn't work. If any problems occur, please try a
port higher than 1024.
I was using port forwarding to same port with following configuration:
config.vm.forward_port 80, 80
And then run vagrant up, but when trying curl localhost, it wasn't able to connect to host. But when running vagrant as sudo user sudo vagrant up, then I was able to access the port from my host.
is port 80 available i.e. if you run netstat -an | grep 80, does it show in the list as already being used by another process? Is uwsgi added to the module list of nginx (and did you run make/make install on it)? Have you tried checking if you need to use higher privilenges (perhaps try running as sudo).